Data security/physical security in light of recent events
 

Note: I realize there is already a thread focusing on the best bag/case for your laptop when checking it...this is peripherally related.

While we (in the US) are not yet being forced to check any/all electronics, folks in the UK are. I suspect that it's only a matter of time before similar rules are put in place here in the US. Given that...

What will be your solution/the best solution for data security should we be required to check laptops, BlackBerries, etc.? Obviously such items contain a wealth of not only personal but also corporate data. I know my boss isn't going to be very happy if my laptop disappears, it's loaded with proprietary information.

Since there are readily available software tools to reset Windows passwords, that's obviously not a realistic data security solution (relying on the Windows password). Does anyone have experience with token-based, etc. full disk encryption or other such measures for security? If so...thoughts? Is the best solution just pulling the laptop drive and carrying it on with you?

Might as well get this discussion going now, so that when it happens we've thought about it and discussed it.

Theres a few things you can do technology wise:

Cell Phones/Blackberrys: If you have GSM phone, set a SIM PIN. If someone tries to turn on your phone, they will be prompted for the PIN and wont be able to do anything else without it. If the PIN is incorrectly entered three times, the phone will ask for a code that only your provider knows.

Laptops: Set a password in the BIOS (be sure to clear it with your boss/IT first). If someone tries to turn your computer on, they will be immdiately prompted for it... the computer wont boot into anything untill its entered. Encrypt all of your sensitive data with an algorithm like AES and back everything up on a USB drive.

Full or partial hard drive encryption. Full encryption would start at boot up and without the password the machine would not have access to the hard drive. You could encrypt just specific data using TrueCrypt or something similar.

I had thought of HD encryption, but I don't like solutions that leave part of the drive unencrypted. My desktop system at home has an add-on interface card that requires a USB "key" (key in the literal sense, it's got a 2048-bit random noise key hard-coded into it) in order to activate the card and decrypt the data on the drive. Everything is encrypted...the entire OS and all data. Everything flows through the encryption system. I'm looking for something similar for a laptop.

Unfortunately, it also occurs to me that should we reach the point where battery-powered items are required to be checked, it will probably also be next to impossible to carry-on a USB key/drive. Too hard to prove it's inert/too easy to convert it into a triggering device (if you had such motivations). Which puts me in the same predicament...data that shouldn't leave my sight (encrypted or not) is now in the cargo hold of the plane, being handled by people I can't see and don't know.

The more I think about it, the more I realize that any such policy would end up being an unmitigated disaster from a data security perspective.

Along these lines I was thinking it might be safer to ship these items using FedEx/UPS/DHL/etc. although it does cost some bucks. For myself I'm thinking more about my photographic equipment along with my mp3, etc. These are all HPIs (Highly Pilferable Items) and I would rather spend money to ship them home if I have to rather than taking a chance on checking them into my baggage. Is this feasable? Or are the logistics such that I should just leave them at home and invest in some type of flying Mickey Finn for myself and forget the vacation pics? Is theft insurance available for these items? I think the airlines coverage probably wouldn't even cover the memory chips. I've got a trip to Paris coming up and as of today this is not an issue for me but if the UK carryon rules spread to France it would be an issue if the rules change while I'm enroute.

See, that's the really fun part...it's not unusual for me to be re-routed during a layover to an emergency situation. That's why I always carry on (though I honestly always carry small). If I end up having to check both laptop and cell phone, I'm screwed. Actually, it's more accurate to say my company and our clients are screwed. Not only is data at risk, but business/service will suffer as well.

One of my clients uses Pointsec to encrypt the entire hard drive of all machines. If you don't have the password and boot up you can't go any further. In addition to connect via the VPN there is a RSA SecureID token FOB. The security policy that was just released from this client is that the laptop can be checked, but the FOB must not be in the same bag as the Laptop.

I have not used it, but I've come across Compusec a freeware whole hard drive encryption.

I have been using Truecrypt on my personal desktop at home for my financial info, etc. I am very pleased with it.

And there's the rub. Even key fobs are required to be checked now in England. If it comes to the point where we (US) have to check laptops, cellphones, etc. I'm sure key fobs will be included. For obvious reasons you don't want the fob in the same pack with the laptop. However, now you're checking 2 bags (at least...1 with laptop, 1 with key fob) and doubling your chances of having one or both lost.

Truecrypt is a good suggestion. I haven't used it myself, but from a security point of view, it seems well-designed (which is not something I can say of all the products out there). And it's free.

Perhaps you could burn a disk with the key and bring it with you on the plane? That doesn't contain any electronics.

http://in.tech.yahoo.com/060323/137/634nv.html

For those of us in funds management, the Fidelity incident (lost notebook with personal information on 196,000 clients) was a bombshell (pardon the pun). IMHO this will force us all to spend more time on the issue of data security. While this will be horrible for SMEs, it *should* help with less leakage of personal data by the larger organisations.

Not a good way, though, to have to think about these issues...